I have a friend at a 7 person company which has an issue with email confidentiality.

Each time they send out an email with quotes to customer, the competitor get the message in 30 minutes and send the quotes to the same customer.
They found out because a customer complained that they got quotes from companies they don't know.

They use windows system and outlook to process their eamils. If I want to do a security plan for them, where should I start?
I am looking references to sites with a check list.

For example:

Check for the trojan horse installed on each windows client and exchange server?

Check the easiest option first: is there an Outlook rule on the senders' computer that is sending a copy of every sent email to someone else?

In Outlook 2010 this is in Rules > Manage Rules and Alerts

That sort of rule is probably a client-only rule, meaning it will work only when Outlook on that particular computer is used to send email.

As a useful diagnostic tool, get one of the customers to send a copy (with full headers) of the emails with unsolicited quotes. This will allow you to find out which companies are "profiting" from this leak. If they are not cautious, they might even be a copy of the "leaked" email included, which will make finding the culprit a lot easier.

The problem is that the compromised component at any step along the way. For example:

A compromised workstation (or perhaps even all of them)

A device strategically located on the network to intercept outbound traffic

A compromised email server

A forwarding rule in the mail configuration that sends traffic to the competitor

A non-technical leak (such as a poorly-behaved employee)

The almost-guaranteed-to-work solution is to throw out everything and start over. And if you ask on the Internet, that's almost always the answer you'll get. Otherwise, you'll have to identify the underlying cause and resolve it.

If a directed diagnostic effort is outside your range of abilities or options, then the popular solution is to guess at something, fix it, and then see if the problem goes away.

Separate from the various technical answers here, they should also consult their lawyer. The competition may well be committing a serious criminal offence in your jurisdiction; and there may be civil remedies as well.